Unverified Commit 17eb6dcb authored by Wolfgang Walther's avatar Wolfgang Walther
Browse files

workflows: move eval from push to queue 

Running eval in the merge queue prevents eval failures after merging
multiple PRs with semantic merge conflicts.

It's also the base for allowing more sophisticated checks about rebuild
counts in the merge queue later.

When branches are directly pushed to, such as for periodic merges, this
will not run Eval immediately. However, the next PR will run it as part
of its Eval step and will cache the results. Any further PR will then
benefit from the same caching again.

This also avoids running Eval twice when pushing to staging-next or
haskell-updates, where a PR is open at the same time. Here, the PR's
Eval still runs on the push, of course.
parent 1506cdec

.github/workflows/eval.yml

+1 −1
Original line number Diff line number Diff line
@@ -139,7 +139,7 @@ jobs: 
        if: inputs.targetSha

        env:

          MATRIX_SYSTEM: ${{ matrix.system }}

        # This should be very quick, because it pulls the eval results from Cachix.

        # This is very quick, because it pulls the eval results from Cachix.

        run: |

          nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A eval.singleSystem \

            --argstr evalSystem "$MATRIX_SYSTEM" \

.github/workflows/merge-group.yml

+31 −0
Original line number Diff line number Diff line
@@ -17,6 +17,21 @@ on: 
permissions: {}



jobs:

  prepare:

    runs-on: ubuntu-24.04-arm

    outputs:

      systems: ${{ steps.systems.outputs.systems }}

    steps:

      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

        with:

          sparse-checkout: |

            ci/supportedSystems.json



      - name: Load supported systems

        id: systems

        run: |

          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"



  lint:

    name: Lint

    uses: ./.github/workflows/lint.yml
@@ -26,6 +41,21 @@ jobs: 
      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}

      targetSha: ${{ inputs.targetSha || github.event.merge_group.base_sha }}



  eval:

    name: Eval

    needs: [prepare]

    uses: ./.github/workflows/eval.yml

    # The eval workflow requests these permissions so we must explicitly allow them,

    # even though they are unused when working with the merge queue.

    permissions:

      # compare

      statuses: write

    secrets:

      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

    with:

      mergedSha: ${{ inputs.mergedSha || github.event.merge_group.head_sha }}

      systems: ${{ needs.prepare.outputs.systems }}



  # This job's only purpose is to create the target for the "Required Status Checks" branch ruleset.

  # It "needs" all the jobs that should block the Merge Queue.

  unlock:
@@ -33,6 +63,7 @@ jobs: 
    # Modify this list to add or remove jobs from required status checks.

    needs:

      - lint

      - eval

    runs-on: ubuntu-24.04-arm

    permissions:

      statuses: write

.github/workflows/push.yml

deleted100644 → 0
+0 −50
Original line number Diff line number Diff line 
name: Push



on:

  push:

    branches:

      - master

      - staging

      - release-*

      - staging-*

      - haskell-updates

  workflow_call:

    inputs:

      mergedSha:

        required: true

        type: string

    secrets:

      CACHIX_AUTH_TOKEN:

        required: true



permissions: {}



jobs:

  prepare:

    runs-on: ubuntu-24.04-arm

    outputs:

      systems: ${{ steps.systems.outputs.systems }}

    steps:

      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

        with:

          sparse-checkout: |

            ci/supportedSystems.json



      - name: Load supported systems

        id: systems

        run: |

          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"



  eval:

    name: Eval

    needs: [prepare]

    uses: ./.github/workflows/eval.yml

    # Those are not actually used on push, but will throw an error if not set.

    permissions:

      # compare

      statuses: write

    secrets:

      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

    with:

      mergedSha: ${{ inputs.mergedSha || github.sha }}

      systems: ${{ needs.prepare.outputs.systems }}

.github/workflows/test.yml

+1 −19
Original line number Diff line number Diff line
@@ -48,6 +48,7 @@ jobs: 
            })).map(file => file.filename)



            if (files.some(file => [

              '.github/workflows/eval.yml',

              '.github/workflows/lint.yml',

              '.github/workflows/merge-group.yml',

              '.github/workflows/test.yml',
@@ -65,12 +66,6 @@ jobs: 
              '.github/workflows/test.yml',

            ].includes(file))) core.setOutput('pr', true)



            if (files.some(file => [

              '.github/workflows/eval.yml',

              '.github/workflows/push.yml',

              '.github/workflows/test.yml',

            ].includes(file))) core.setOutput('push', true)



  merge-group:

    if: needs.prepare.outputs.merge-group

    name: Merge Group
@@ -98,16 +93,3 @@ jobs: 
    secrets:

      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
 


  push:

    if: needs.prepare.outputs.push

    name: Push

    needs: [prepare]

    uses: ./.github/workflows/push.yml

    # Those are not actually used on the push or pull_request events, but will throw an error if not set.

    permissions:

      statuses: write

    secrets:

      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}

    with:

      mergedSha: ${{ needs.prepare.outputs.mergedSha }}